def make_certificate(
ca_crt_path = 'ca.crt',
ca_key_path = 'ca.key',
server_crt_path = 'server.crt',
server_key_path = 'server.key',
vars=None):
# make the certificat of CA
# need passphrase ?
ca_key = PKey()
ca_key.generate_key(TYPE_RSA, 1024)
dump_write(dump_privatekey(FILETYPE_PEM, ca_key),
ca_key_path)
# MAKE THE CA SELF-SIGNED CERTIFICATE
cert = X509()
sub = cert.get_subject()
set_x509_ca(sub, vars=vars)
#FORMAT : YYYYMMDDhhmmssZ
after = '20200101000000Z'
before = '20090101000000Z'
cert.set_notAfter(after)
cert.set_notBefore(before)
cert.set_serial_number(1)
cert.set_pubkey(ca_key)
cert.set_issuer(cert.get_subject())
cert.sign(ca_key,"MD5")
dump_write(dump_certificate(FILETYPE_PEM, cert),
ca_crt_path)
print "Generated CA certificate in %s" % ca_crt_path
# MAKE THE SERVER CERTIFICATE
s_key = PKey()
s_key.generate_key(TYPE_RSA, 1024)
dump_write(dump_privatekey(FILETYPE_PEM, s_key),
server_key_path)
s_cert = X509()
s_sub = s_cert.get_subject()
set_x509_serv(s_sub, vars=vars)
#FORMAT : YYYYMMDDhhmmssZ
after = '20200101000000Z'
before = '20090101000000Z'
s_cert.set_notAfter(after)
s_cert.set_notBefore(before)
s_cert.set_serial_number(2)
s_cert.set_pubkey(s_key)
s_cert.set_issuer(cert.get_subject())
s_cert.sign(ca_key,"MD5")
dump_write(dump_certificate(FILETYPE_PEM, s_cert),
server_crt_path)
print "Generated Server certificate in %s" % server_crt_path
for p in [ca_key_path, server_key_path]:
os.chmod(p, 0600)
def __getitem__(self, cn):
cnp = os.path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn])
if not os.path.exists(cnp):
# create certificate
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha256')
# Sign CSR
cert = X509()
cert.set_subject(req.get_subject())
cert.set_serial_number(self.serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha256')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(self.filetype, key))
f.write(dump_certificate(self.filetype, cert))
return cnp
def _generate_ca(self):
# Generate key
self.key = PKey()
self.key.generate_key(TYPE_RSA, 2048)
# Generate certificate
self.cert = X509()
self.cert.set_version(3)
self.cert.set_serial_number(1)
self.cert.get_subject().CN = 'Namecoin .bit proxy'
self.cert.gmtime_adj_notBefore(0)
self.cert.gmtime_adj_notAfter(315360000)
self.cert.set_issuer(self.cert.get_subject())
self.cert.set_pubkey(self.key)
self.cert.add_extensions([
X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"),
X509Extension("keyUsage", True, "keyCertSign, cRLSign"),
X509Extension("subjectKeyIdentifier",
False,
"hash",
subject=self.cert),
])
self.cert.sign(self.key, "sha256")
with open(self.ca_file, 'wb+') as f:
f.write(dump_privatekey(self.filetype, self.key))
f.write(dump_certificate(self.filetype, self.cert))
# export for Windows
with open("ca.crt", 'wb+') as f:
f.write(dump_certificate(self.filetype, self.cert))
def __getitem__(self, cn):
cnp = path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn])
if not path.exists(cnp):
# Crea Key
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Crea CSR
# revisar : http://stackoverflow.com/questions/24043226/generating-a-csr-with-python-crypto
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha1')
# Firmar CSR
cert = X509()
cert.set_subject(req.get_subject())
cert.set_serial_number(self.serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha1')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
return cnp
def __getitem__(self, cn):
'''
Gets the specified Certificate authority file if it already exists, else creates one!
'''
cnp = path.sep.join([self.cache_dir, '.pymp_%s.pem' % cn])
if not path.exists(cnp):
# create certificate
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha1')
# Sign CSR
cert = X509()
cert.set_subject(req.get_subject())
cert.set_serial_number(self.serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha1')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
return cnp
def _validate_dependencies_met():
"""
Verifies that PyOpenSSL's package-level dependencies have been met.
Throws `ImportError` if they are not met.
"""
# Method added in `cryptography==1.1`; not available in older versions
from cryptography.x509.extensions import Extensions
if getattr(Extensions, "get_extension_for_class", None) is None:
raise ImportError(
"'cryptography' module missing required functionality. "
"Try upgrading to v1.3.4 or newer.")
# pyOpenSSL 0.14 and above use cryptography for OpenSSL bindings. The _x509
# attribute is only present on those versions.
from OpenSSL.crypto import X509
x509 = X509()
if getattr(x509, "_x509", None) is None:
raise ImportError("'pyOpenSSL' module missing required functionality. "
"Try upgrading to v0.14 or newer.")
def create_dummy_certificate(certname,keyname,_dir, force=False) -> bool:
if certname and keyname and _dir:
if path.exists(_dir+keyname) and path.exists(_dir+certname) and not force:
return True
else:
if path.exists(_dir+certname):
remove(_dir+certname)
if path.exists(_dir+keyname):
remove(_dir+keyname)
key = PKey()
key.generate_key(TYPE_RSA, 4096)
cert = X509()
cert.set_serial_number(uuid4().int)
cert.set_version(2)
cert.get_subject().C = "US"
cert.get_subject().ST = "WA"
cert.get_subject().L = "127.0.0.1"
cert.get_subject().O = "github.com/qeeqbox/analyzer"
cert.get_subject().OU = "github.com/qeeqbox/analyzer"
cert.get_subject().CN = "auto generated self signed certificate by qeeqbox/analyzer"
cert.gmtime_adj_notBefore(-60 * 60 * 24 * 365 * 2)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 2)
cert.set_issuer(cert.get_subject())
cert.set_pubkey(key)
cert.add_extensions([X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
X509Extension(b"keyUsage", True, b"keyCertSign, cRLSign"),
X509Extension(b"subjectKeyIdentifier", False, b"hash", subject=cert),])
cert.sign(key, 'sha256')
with open(_dir+certname, 'wb') as f:
f.write(dump_certificate(FILETYPE_PEM, cert))
with open(_dir+keyname, 'wb') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
return True
return False
def _generate_ca(self):
# Crea KEY de tipo RSA
self.key = PKey()
self.key.generate_key(TYPE_RSA, 2048)
# Crea Certificado X509
self.cert = X509()
self.cert.set_version(3)
# Le puse 10000 no se por que
self.cert.set_serial_number(1)
self.cert.get_subject().CN = 'ca.proxymitm.com'
self.cert.gmtime_adj_notBefore(0)
#Tiempo de duracion del certificado
self.cert.gmtime_adj_notAfter(315360000)
self.cert.set_issuer(self.cert.get_subject())
self.cert.set_pubkey(self.key)
#Atributos del ceriticado
self.cert.add_extensions([
X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"),
X509Extension("keyUsage", True, "keyCertSign, cRLSign"),
X509Extension("subjectKeyIdentifier",
False,
"hash",
subject=self.cert),
])
self.cert.sign(self.key, "sha256")
with open(self.ca_file, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, self.key))
f.write(dump_certificate(FILETYPE_PEM, self.cert))
def pem_cert_bytes_to_open_ssl_x509(cert: bytes) -> X509:
"""Convert PEM-formatted certificate bytes into an X509 instance usable for cert
chain validation
"""
cert_crypto = load_pem_x509_certificate(cert, default_backend())
cert_openssl = X509().from_cryptography(cert_crypto)
return cert_openssl
def get_cert_path(self, cn):
cnp = os.path.sep.join(
[self.cache_dir,
'%s-%s.pem' % (self.CERT_PREFIX, cn)])
if os.path.exists(cnp):
print("Cert already exists common_name=%s" % cn)
else:
print("Creating and signing cert common_name=%s" % cn)
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha1')
# Sign CSR
cert = X509()
cert.set_subject(req.get_subject())
cert.set_serial_number(123)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha256')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
print("Created cert common_name=%s location=%s" % (cn, cnp))
return cnp
def verify_signature(signature_input,
signature,
pubkey_pem,
digest_algo='sha256'):
'''Verify if `signature` over `signature_input` was created using
`digest_algo` by the private key of the `pubkey_pem`.
A signature is the private key encrypted hash over the signature input data.
Args:
signature_input(bytes): signed data
signature(bytes):
pubkey_pem(str): PEM formatted pubkey
digest_algo(str): name of the used digest hash algorithm
(default: 'sha256')
Return:
True, if signature could be verified
False, else
'''
cryptography_key = serialization.load_pem_public_key(pubkey_pem, backend)
pkey = pkey_from_cryptography_key(cryptography_key)
auxiliary_cert = X509()
auxiliary_cert.set_pubkey(pkey)
try:
verify(cert=auxiliary_cert,
signature=signature,
data=signature_input,
digest=digest_algo)
except OpenSSL_crypto_Error:
return False
return True
def make_cert(filename, cacert=None, cakey=None):
key = PKey()
key.generate_key(TYPE_RSA, 2048)
cert = X509()
subject = cert.get_subject()
subject.C = b"TR"
subject.ST = b"Çorum"
subject.L = b"Başmakçı"
subject.CN = b"localhost"
subject.O = b"Mozilla Test"
subject.OU = b"Autopush Test %s" % filename
subject.emailAddress = b"*****@*****.**"
subjectAltName = X509Extension(b'subjectAltName', False, b'DNS:localhost')
cert.add_extensions([subjectAltName])
cert.set_serial_number(uuid.uuid4().int)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(60 * 60 * 24 * 365 * 100)
cert.set_pubkey(key)
if not cacert:
# self sign
cacert = cert
cakey = key
cert.set_issuer(cacert.get_subject())
cert.sign(cakey, 'sha1')
with open(filename, 'wb') as fp:
fp.write(dump_privatekey(FILETYPE_PEM, key))
fp.write(dump_certificate(FILETYPE_PEM, cert))
return cert, key
def _gen_ca(self, again=False):
# Generate key
if os.path.exists(self.ca_file_path) and os.path.exists(
self.cert_file_path) and not again:
self._read_ca(self.ca_file_path)
return
self.key = PKey()
self.key.generate_key(TYPE_RSA, 2048)
# Generate certificate
self.cert = X509()
self.cert.set_version(2)
self.cert.set_serial_number(1)
self.cert.get_subject().CN = 'CachingProxy'
self.cert.gmtime_adj_notBefore(0)
self.cert.gmtime_adj_notAfter(315360000)
self.cert.set_issuer(self.cert.get_subject())
self.cert.set_pubkey(self.key)
self.cert.add_extensions([
X509Extension(b"basicConstraints", True, b"CA:TRUE, pathlen:0"),
X509Extension(b"keyUsage", True, b"keyCertSign, cRLSign"),
X509Extension(b"subjectKeyIdentifier",
False,
b"hash",
subject=self.cert),
])
self.cert.sign(self.key, "sha256")
with open(self.ca_file_path, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, self.key))
f.write(dump_certificate(FILETYPE_PEM, self.cert))
with open(self.cert_file_path, 'wb+') as f:
f.write(dump_certificate(FILETYPE_PEM, self.cert))
def _sign_ca(self, cn, cnp):
# 使用合法的CA证书为代理程序生成服务器证书
# create certificate
try:
key = PKey()
key.generate_key(TYPE_RSA, 2048)
# Generate CSR
req = X509Req()
req.get_subject().CN = cn
req.set_pubkey(key)
req.sign(key, 'sha256')
# Sign CSR
cert = X509()
cert.set_version(2)
cert.set_subject(req.get_subject())
cert.set_serial_number(self.serial)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)
cert.set_issuer(self.cert.get_subject())
ss = ("DNS:%s" % cn).encode(encoding="utf-8")
cert.add_extensions([X509Extension(b"subjectAltName", False, ss)])
cert.set_pubkey(req.get_pubkey())
cert.sign(self.key, 'sha256')
with open(cnp, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, key))
f.write(dump_certificate(FILETYPE_PEM, cert))
except Exception as e:
raise Exception("generate CA fail:{}".format(str(e)))
def _generate_ca(self):
'''
This function generates the certificate authority file
'''
# Generate key
self.key = PKey()
self.key.generate_key(TYPE_RSA, 2048)
# Generate certificate
self.cert = X509()
self.cert.set_version(3)
self.cert.set_serial_number(1)
self.cert.get_subject().CN = 'ca.mitm.com'
self.cert.gmtime_adj_notBefore(0)
self.cert.gmtime_adj_notAfter(315360000)
self.cert.set_issuer(self.cert.get_subject())
self.cert.set_pubkey(self.key)
self.cert.add_extensions([
X509Extension("basicConstraints", True, "CA:TRUE, pathlen:0"),
X509Extension("keyUsage", True, "keyCertSign, cRLSign"),
X509Extension("subjectKeyIdentifier",
False,
"hash",
subject=self.cert),
])
self.cert.sign(self.key, "sha1")
with open(self.ca_file, 'wb+') as f:
f.write(dump_privatekey(FILETYPE_PEM, self.key))
f.write(dump_certificate(FILETYPE_PEM, self.cert))
def test_issue_certificate_with_csr(self):
"""
Tests issuance of a certificate
"""
cmd = issueCertificate.issueCertificateCmd()
cmd.csr = "-----BEGIN CERTIFICATE REQUEST-----\nMIIBHjCByQIBADBkMQswCQYDVQQGEwJJTjELMAkGA1UECAwCSFIxETAPBgNVBAcM\nCEd1cnVncmFtMQ8wDQYDVQQKDAZBcGFjaGUxEzARBgNVBAsMCkNsb3VkU3RhY2sx\nDzANBgNVBAMMBnYtMS1WTTBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQD46KFWKYrJ\nF43Y1oqWUfrl4mj4Qm05Bgsi6nuigZv7ufiAKK0nO4iJKdRa2hFMUvBi2/bU3IyY\nNvg7cdJsn4K9AgMBAAGgADANBgkqhkiG9w0BAQUFAANBAIta9glu/ZSjA/ncyXix\nyDOyAKmXXxsRIsdrEuIzakUuJS7C8IG0FjUbDyIaiwWQa5x+Lt4oMqCmpNqRzaGP\nfOo=\n-----END CERTIFICATE REQUEST-----"
cmd.provider = 'root'
response = self.apiclient.issueCertificate(cmd)
self.assertTrue(response.privatekey is None)
self.assertTrue(len(response.cacertificates) > 0)
self.assertTrue(len(response.certificate) > 0)
cert = x509.load_pem_x509_certificate(str(response.certificate), default_backend())
# Validate basic certificate attributes
self.assertEqual(cert.signature_hash_algorithm.name, 'sha256')
self.assertEqual(cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value, 'v-1-VM')
# Validate certificate against CA public key
global PUBKEY_VERIFY
if not PUBKEY_VERIFY:
return
caCert = x509.load_pem_x509_certificate(str(self.getCaCertificate()), default_backend())
x = X509()
x.set_pubkey(load_publickey(FILETYPE_PEM, str(caCert.public_key().public_bytes(serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo))))
verify(x, cert.signature, cert.tbs_certificate_bytes, cert.signature_hash_algorithm.name)
def test_issue_certificate_without_csr(self):
"""
Tests issuance of a certificate
"""
cmd = issueCertificate.issueCertificateCmd()
cmd.domain = 'apache.org,cloudstack.apache.org'
cmd.ipaddress = '10.1.1.1,10.2.2.2'
cmd.provider = 'root'
response = self.apiclient.issueCertificate(cmd)
self.assertTrue(len(response.privatekey) > 0)
self.assertTrue(len(response.cacertificates) > 0)
self.assertTrue(len(response.certificate) > 0)
cert = x509.load_pem_x509_certificate(str(response.certificate), default_backend())
# Validate basic certificate attributes
self.assertEqual(cert.signature_hash_algorithm.name, 'sha256')
self.assertEqual(cert.subject.get_attributes_for_oid(x509.oid.NameOID.COMMON_NAME)[0].value, 'apache.org')
# Validate alternative names
altNames = cert.extensions.get_extension_for_oid(x509.oid.ExtensionOID.SUBJECT_ALTERNATIVE_NAME)
for domain in cmd.domain.split(','):
self.assertTrue(domain in altNames.value.get_values_for_type(x509.DNSName))
for address in cmd.ipaddress.split(','):
self.assertTrue(address in map(lambda x: str(x), altNames.value.get_values_for_type(x509.IPAddress)))
# Validate certificate against CA public key
global PUBKEY_VERIFY
if not PUBKEY_VERIFY:
return
caCert = x509.load_pem_x509_certificate(str(self.getCaCertificate()), default_backend())
x = X509()
x.set_pubkey(load_publickey(FILETYPE_PEM, str(caCert.public_key().public_bytes(serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo))))
verify(x, cert.signature, cert.tbs_certificate_bytes, cert.signature_hash_algorithm.name)
def verify_sig(data, sig, public_key):
"""
Verify a signature
"""
# HACK b/c openssl expects an X509 object
cert = X509()
cert.set_pubkey(public_key)
return verify(cert, sig, data, HASH_TYPE)
def check_authorized(signature, public_key, payload):
"""Reformat PEM-encoded public key for pyOpenSSL, verify signature.
See: https://docs.travis-ci.com/user/notifications/#Verifying-Webhook-requests
"""
pkey_public_key = load_publickey(FILETYPE_PEM, public_key)
certificate = X509()
certificate.set_pubkey(pkey_public_key)
verify(certificate, signature, payload, str('sha1'))
def check_authorized(self, signature, public_key, payload):
"""
Convert the PEM encoded public key to a format palatable for pyOpenSSL,
then verify the signature
"""
pkey_public_key = load_publickey(FILETYPE_PEM, public_key)
certificate = X509()
certificate.set_pubkey(pkey_public_key)
verify(certificate, signature, payload, str('sha1'))
def logHeader():
popen_list = [sys.executable, lazylibrarian.FULL_PATH]
popen_list += lazylibrarian.ARGS
header = "Startup cmd: %s\n" % str(popen_list)
header += 'Interface: %s\n' % lazylibrarian.CONFIG['HTTP_LOOK']
header += 'Loglevel: %s\n' % lazylibrarian.LOGLEVEL
for item in lazylibrarian.CONFIG_GIT:
header += '%s: %s\n' % (item.lower(), lazylibrarian.CONFIG[item])
header += "Python version: %s\n" % sys.version.split('\n')
# noinspection PyDeprecation
header += "Distribution: %s\n" % str(platform.dist())
header += "System: %s\n" % str(platform.system())
header += "Machine: %s\n" % str(platform.machine())
header += "Platform: %s\n" % str(platform.platform())
header += "uname: %s\n" % str(platform.uname())
header += "version: %s\n" % str(platform.version())
header += "mac_ver: %s\n" % str(platform.mac_ver())
header += "openssl: %s\n" % getattr(ssl, 'OPENSSL_VERSION', None)
header += "requests: %s\n" % getattr(requests, '__version__', None)
if not lazylibrarian.GROUP_CONCAT:
# 3.5.4 is the earliest version with GROUP_CONCAT which we use, but is not essential
header += 'sqlite3: missing required functionality. Try upgrading to v3.5.4 or newer. You have '
header += "sqlite3: %s\n" % getattr(sqlite3, 'sqlite_version', None)
try:
# pyOpenSSL 0.14 and above use cryptography for OpenSSL bindings. The _x509
# attribute is only present on those versions.
# noinspection PyUnresolvedReferences
import OpenSSL
# noinspection PyUnresolvedReferences
from OpenSSL.crypto import X509
x509 = X509()
if getattr(x509, "_x509", None) is None:
header += "pyOpenSSL: module missing required functionality. Try upgrading to v0.14 or newer. You have "
header += "pyOpenSSL: %s\n" % getattr(OpenSSL, '__version__', None)
from OpenSSL import SSL
except ImportError:
header += "pyOpenSSL: module missing\n"
try:
import OpenSSL.SSL
except (ImportError, AttributeError) as e:
header += 'OpenSSL missing module/attribute: %s\n' % e
try:
# get_extension_for_class method added in `cryptography==1.1`; not available in older versions
# but need cryptography >= 1.3.4 for access from pyopenssl >= 0.14
# noinspection PyUnresolvedReferences
import cryptography
# noinspection PyUnresolvedReferences
from cryptography.x509.extensions import Extensions
if getattr(Extensions, "get_extension_for_class", None) is None:
header += "cryptography: module missing required functionality. Try upgrading to v1.3.4 or newer. You have "
header += "cryptography: %s\n" % getattr(cryptography, '__version__',
None)
except ImportError:
header += "cryptography: module missing\n"
return header
def setup_class(cls):
cls.intermediate_cert = load_certificate(FILETYPE_PEM, cls.intermediate_certificate_pem)
cls.pub_cert = load_certificate(FILETYPE_PEM, cls.apple_root_cert_pem)
cls.priv_key = load_privatekey(FILETYPE_PEM, cls._root_key_pem)
cls.priv_key_spoof = PKey()
cls.priv_key_spoof.generate_key(TYPE_RSA, 1024)
cls.pub_cert_spoof = X509()
cls.pub_cert_spoof.set_pubkey(cls.priv_key_spoof)
def check_exception(self):
"""
Call the method repeatedly such that it will raise an exception.
"""
for i in xrange(self.iterations):
cert = X509()
try:
cert.get_pubkey()
except Error:
pass
def _sign_csr(self, key, req): cert = X509() cert.set_subject(req.get_subject()) cert.set_serial_number(self.serial) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(31536000) cert.set_issuer(self.cert.get_subject()) cert.set_pubkey(req.get_pubkey()) cert.sign(self.key, 'sha1') return cert
def sign_certificate_request(self, cert_req: X509Req, serial_number: int) -> X509:
cert = X509()
cert.set_issuer(self.__cert.get_subject())
cert.set_pubkey(cert_req.get_pubkey())
cert.set_subject(cert_req.get_subject())
cert.set_serial_number(serial_number)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(365 * 24 * 60 * 60)
cert.sign(self.__pkey, "sha256")
return cert
def verifyFunction(self,absolutePathWithText, absolutePathWithPubKey, absolutePathWithSig):
pk = self.loadPublicKey(absolutePathWithPubKey)
x509 = X509()
x509.set_pubkey(pk)
signature = open(absolutePathWithSig, 'rb').read()
try:
if (verify(x509, signature, open(absolutePathWithText).read(), 'sha256') == None):
print("验证成功")
except:
print("验证失败!")
def _create_cert(self, pkey, commonname, serial, extensions, **kwargs):
""" Create a certificate
Arguments:
pkey -- the key pair for the certificate
commonname -- the common name for the certificate subject
serial -- the certificate serial number
extensions -- the X509Ext list
Keywords arguments:
expire -- the number for days the certificate is valid (default 365)
version -- the version number for the certificate (default 1)
"""
expire_kw = 'expire'
if expire_kw in kwargs:
expire = kwargs[expire_kw]
else:
expire = 365
version_kw = 'version'
if version_kw in kwargs:
version = kwargs[version_kw]
else:
version = 1
now = datetime.utcnow()
cert = X509()
cert.get_subject().CN = commonname
cert.get_issuer().CN = self.commonname
startdate = now.strftime('%Y%m%d%H%M%SZ')
cert.set_notBefore(startdate.encode('ascii'))
enddate = (now + timedelta(expire)).strftime('%Y%m%d%H%M%SZ')
cert.set_notAfter(enddate.encode('ascii'))
cert.set_pubkey(pkey)
cert.set_serial_number(serial)
cert.set_version(version)
if extensions:
cert.add_extensions(extensions)
self._sign_cert(cert)
cert_pem = crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode()
cert_path = self._get_cert_path(commonname, serial)
with open(cert_path, 'w') as cert_file:
cert_file.writelines(get_pretty_subject(cert))
cert_file.writelines(cert_pem)
cert_link = self._get_cert_link(commonname)
if os.path.exists(cert_link):
os.unlink(cert_link)
os.symlink(os.path.basename(cert_path), cert_link)
return cert
def make_cert(req: X509Req, ca_pkey: PKey) -> X509:
cert = X509()
cert.set_serial_number(1)
cert.set_version(2)
cert.set_subject(req.get_subject())
cert.set_pubkey(req.get_pubkey())
cert.set_notBefore(x509_time(minutes=-1))
cert.set_notAfter(x509_time(days=30))
# noinspection PyTypeChecker
cert.sign(ca_pkey, 'sha1')
return cert
def create_certificate_from_csr(csr, issuer):
x = X509()
x.set_issuer(issuer.get_subject())
x.set_subject(csr.get_subject())
x.set_pubkey(csr.get_pubkey())
x.set_serial_number(1)
now = datetime.datetime.utcnow()
not_before = convert_timestamp(now)
not_after = convert_timestamp(now + datetime.timedelta(days=365 * 5))
x.set_notBefore(not_before)
x.set_notAfter(not_after)
return x
def check_authorized(signature, payload):
"""
Convert the PEM encoded public key to a format palatable for pyOpenSSL,
then verify the signature
"""
response = requests.get('https://api.travis-ci.org/config', timeout=10.0)
response.raise_for_status()
public_key = response.json(
)['config']['notifications']['webhook']['public_key']
pkey_public_key = load_publickey(FILETYPE_PEM, public_key)
certificate = X509()
certificate.set_pubkey(pkey_public_key)
verify(certificate, base64.b64decode(signature), payload, str('SHA1'))
